cyber assured systems engineering
TRANSCRIPT
© 2020 Collins Aerospace
C YB E R A S S U R E D S YS TE M S E N G I N E E R I N G W I T H A A D L
D A R R E N C O F E RF E L L O W / T R U S T E D S Y S T E M SD A R R E N . C O F E R @ C O L L I N S . C O M
Approved for public release. Distribution is unlimited.
A A D L / A C V I P U S E R D A Y S4 F E B R U A R Y 2 0 2 1
1
© 2020 Collins Aerospace
C O L L I N S - L E D D A R P A C Y B E R A S S U R E D S Y S T E M S E N G I N E E R I N G ( C A S E ) P R O J E C T
TEAM
• Collins Aerospace• Architectural transformations for cyber-resilience• Component synthesis and proofs• Formal analysis and assurance case• Tool integration
• Data 61• seL4 formally verified secure microkernel for memory protection• Formally verified components (seL4, CakeML language)
• University of Kansas• Formally verified attestation for distributed computing platforms
• Adventium• Real-time scheduling• AADL modeling and code generation
• Kansas State University• Automatic code generation from architecture models with proof of equivalence• Information flow analysis
2Approved for public release. Distribution is unlimited.
© 2020 Collins Aerospace
• Integrated model-based systems engineering tool suite based on Architecture Analysis & Design Language (AADL) models
• Transform system design to satisfy cyber-resiliencyrequirements
• Generate new high-assurance components from formal specifications
• Verify system design using formal methods and document evidence/compliance with assurance case
• Generate software integration code directly from verified architecture models, targeting multiple operating systems (including seL4)
BR I E FCASE TOOL CAPABIL IT IES
SAE AS5506 STANDARD
3Approved for public release. Distribution is unlimited.
Why AADL?• Sufficiently rigorous semantics to support analysis• Correct level of abstraction (supports construction)• OSATE supports addition of new capabilities
© 2020 Collins Aerospace
3 TECHNOLOGY PILLARS
MBSECModel-Based Systems
Engineering for Cybersecurity
CY-RESArchitectural Transformations
for Cyber-Resiliency PROOFEnd-to-End Integrated
Formal Verification
TransformedModels
seL4Capabilities
Assurance Case
ArchitectureModel
Verified Components
ComponentSpecs
4
1. Developer assistance to implement cyber-resiliency• Automated architecture transforms for threat mitigation• High assurance components generated from specifications• Techniques to deal with legacy code (cyber retrofit)
2. MBSE environment for high-assurance cyber-resilient system development
• Build system directly from detailed, verified AADL model• Makes the security guarantees of seL4 accessible to system
developers• Ability to target different platforms to facilitate incremental
debugging/development
3. Integration of formal verification/proof• Formal verification of functional and cyber-resiliency properties,
information flow properties, component proofs• Code generation equivalence to model, seL4 build preserves
properties• Integrate evidence as an assurance case demonstrating how/why
requirements are satisfied
Approved for public release. Distribution is unlimited.
© 2020 Collins Aerospace
BR IEFCASE TOOL ARCHITECTURE
OSATEAADL model
HAMR plugin Cyber Transform
plugin
AGREE
Resolute
SPLAT
CAmkES input model
TA1 pluginCyber Reqtsplugins
CAmkES
UAV exe
seL4 capDL
C compiler CakeMLcompiler
Component implementation
and glue *.c files
Solvers
System Build
evidence
Component implementation
and glue CakeML files
6
UAV exe
Linux
SystemModelingEnvironment
High-Assurance Code GenerationTools
Approved for public release. Distribution is unlimited.
© 2020 Collins Aerospace
ARCHITECTURAL TRANSFORMATIONS FOR CYBER-RESIL IENCY
OSATEAADL model
HAMR plugin Cyber Transform
plugin
AGREE
Resolute
SPLAT
CAmkES input model
TA1 pluginCyber Reqtsplugins
CAmkES
UAV exe
seL4 capDL
C compiler CakeMLcompiler
Component implementation
and glue *.c files
Solvers
System Build
evidence
Component implementation
and glue CakeML files
7
UAV exe
Linux
SystemModelingEnvironment
High-Assurance Code GenerationTools
1. CY-RES
Approved for public release. Distribution is unlimited.
© 2020 Collins Aerospace
• Choose one of the Cyber Requirements generation tools
• CRA GearCASE plugin• Vanderbilt/DOLL DCRYPPS plugin
• Initial model data is exported to selected tool
• Requirements import wizard manages the generated requirements
• Select action• Naming/tagging• Associate with formal properties
• Requirements inserted into model as Resolute goals (GSN)
• We will build an assurance argument to satisfy these goals
1 . GENERATE / IMPORT CYBER REQUIREMENTS
DCRYPPS GearCASE
Candidate Cyber
Requirements
Inse
rt G
oals
in
to M
odel
8Approved for public release. Distribution is unlimited.
© 2020 Collins Aerospace
• Cyber requirements tools provide model context and sometimes suggested mitigation
• System engineer selects from available cyber-resiliency transformations
• Filter• Monitor• Gate (controlled by monitor)• Attestation• Virtualization• seL4 build prep
• Wizard interface collects needed configuration data
• Tool automatically transforms AADL model
• Also adds Resolute assurance case strategy to show how the associated goal (requirement) is satisfied
2 . APPLY CYBER TRANSFORMATIONS
PROC
VMFILTIN OUT
IN1
MONALERT
IN2 GATEINOUT
CTL
AMID
REQ
RSP
9Approved for public release. Distribution is unlimited.
© 2020 Collins Aerospace
• Resolute links cyber transform to goal as a GSN strategy• Checks for violations/changes that impact correctness• Collects evidence and generates assurance case
2A. INSERT ASSURANCE CASE STRATEGY
10Approved for public release. Distribution is unlimited.
© 2020 Collins Aerospace
• Some of the cyber transforms insert new high-assurance components into the model
• The behavior of the component (its contract) is specified in AGREE
• SPLAT generates component implementations from their specifications
• SPLAT also generates a proof showing that the component implements its specification
3 . GENERATE HIGH ASSURANCE COMPONENTS
SPLAT
CCakeML
Proof• Other components (such as the Attestation Manager) are pre-built pre-verified libraries
• Their implementations are essentially library functions that are added to the build, possibly with some configuration data from the model
11Approved for public release. Distribution is unlimited.
© 2020 Collins Aerospace
Hardware
• How can we deal with legacy code/systems?• Example: UxAS
• Open source, less trusted• Not designed for cybersecurity• Written in C++
USE CASE : “CYBER RETROFIT”
C
B
D
A
Operating System (Linux, etc.)
WPM WPM
MON
FILT
Secure Microkernel (seL4)Virtual Machine
1. Virtualize legacy system• Support for multiple VMs, if needed
2. Host on seL43. Extract/harden critical components4. Filter inputs5. Monitor outputs
12Approved for public release. Distribution is unlimited.
© 2020 Collins Aerospace
MODEL-BASED SYSTEMS ENGINEERING FOR CYBERSECURITY
OSATEAADL model
HAMR plugin Cyber Transform
plugin
AGREE
Resolute
SPLAT
CAmkES input model
TA1 pluginCyber Reqtsplugins
CAmkES
UAV exe
seL4 capDL
C compiler CakeMLcompiler
Component implementation
and glue *.c files
Solvers
System Build
evidence
Component implementation
and glue CakeML files
14
UAV exe
Linux
SystemModelingEnvironment
High-Assurance Code GenerationTools
2. MBSEC
Approved for public release. Distribution is unlimited.
© 2020 Collins Aerospace
M O D E L - B A S E D S Y S T E M S E N G I N E E R I N G F O R C Y B E R S E C U R I T Y
MBSEC
• The model IS the system • It is not just a picture for communication, or a way to capture
requirements, or a means to perform analyses • It is all of those things, but it is also how we will actually
build the system, and do so in a way that ensures compliance with the design captured in the model
• Rationale for AADL• Provides the necessary precision and semantics for building
real-time distributed embedded software systems• MBSE for seL4
• Furthermore, we are bridging the gap between systems engineers and the formally verified seL4 microkernel
• Ensure usability by systems engineers and promote successful transition
• HAMR• High Assurance Modeling for Rapid Engineering• Code generation from AADL models
AADL
15Approved for public release. Distribution is unlimited.
© 2020 Collins Aerospace
H A M R A N D S E L 4
SOFTWARE INFRASTRUCTURE
• HAMR is a multi-stage translation architecture to address CASE goals of component migration between platforms and information flow control
• Semantic consistency from model to execution• Ensures model-level analysis applies to deployed code• Same computational model across different platforms• Build for multiple target platforms:
• seL4 / Linux / Virtual Machine• Build for workstation / emulator / embedded platform
AADL
Por
t Com
m S
ervic
e Ab
s La
yer
Application Code
AADL
Infra
stru
ctur
e Po
rt Co
mm
unica
tion
Abs
Laye
r
Plat
form
Com
m
Infra
stru
ctur
e
Prog
Lan
guag
e AA
DL P
ort
Com
m A
bs L
ayer
Platform Thread Infrastructure
AADL Thread Infrastructure Abs Layer
AADL Thread Entry Points/ Dispatch Logic
Prog
Lan
guag
e AA
DL P
ort
Com
m A
bs L
ayer
AADL
Por
t Com
m S
ervic
e Ab
s La
yer
AADL
Infra
stru
ctur
e Po
rt Co
mm
unica
tion
Abs
Laye
r
Plat
form
Com
m
Infra
stru
ctur
e
HAM
Rco
de
gene
ratio
n
seL4 is…• An operating
system microkernel• A hypervisor• Proved correct• Provably secure• Fast
• seL4 microkernel guarantees partitioning of components and communication, backed by computer-checked proofs
• seL4 guarantees no infiltration, exfiltration, eavesdropping, interference, and provides fault containment for untrusted code
16
Approved for public release. Distribution is unlimited.
© 2020 Collins Aerospace
HAMR SUPPORTS MULTIPLELANGUAGE/ PLATFORM COMBINATIONSThe flexibility of being able to easily shift between different platforms was quite useful as the team experimented with building the Phase 2 Experimental Platform assessment deliverable.
JVM/Slang – data types, port constraints, basic aspects of application logic, initial unit testing – some mocked up components, many useful visualizations
Linux C – compile Slang to C, or manually code C, and debug C implementation, VMs mocked up
seL4 C / Qemu – C application code easily ports to seL4 native components, add in VMs, test/simulate/debug in QemuseL4 C / board – seL4 build shifted to actual hardware for final testing and deployment
AADL / OSATE – design model, types, perform analyses
17Approved for public release. Distribution is unlimited.Adventium / Kansas State
© 2020 Collins Aerospace
HAMR ABSTRACTION LAYERS
AADL
Por
t Com
m
Serv
ice A
bs L
ayer Application
Code
AADL
Inf
rast
ruct
ure
Port
Com
mun
icatio
n Ab
s La
yer
Plat
form
Com
m
Infra
stru
ctur
e
Prog
Lan
guag
e AA
DL
Port
Com
m A
bs L
ayer
… …
Platform Thread InfrastructureAADL Thread Infrastructure Abs Layer
AADL Thread Entry Points/ Dispatch
Logic
T1
T2
P1P2P3P4
T3
Prog
Lan
guag
e AA
DL
Port
Com
m A
bs L
ayer
AADL
Por
t Com
m
Serv
ice A
bs L
ayer
AADL
Inf
rast
ruct
ure
Port
Com
mun
icatio
n Ab
s La
yer
Plat
form
Com
m
Infra
stru
ctur
e
Port communication APIs
Threading APIs
18Approved for public release. Distribution is unlimited.Adventium / Kansas State
© 2020 Collins Aerospace
APPLICATION LOGIC
Unit hamr_SW_WaypointPlanManagerService_thr_Impl_Impl_timeTriggered_(STACK_FRAMEhamr_SW_WaypointPlanManagerService_thr_Impl_Impl this) {bool dataReceived = false;size_t numBits = 0;uint8_t payload[MAX_PAYLOAD];
dataReceived = api_get_ReturnHome__hamr_SW_WaypointPlanManagerService_thr_Impl_Impl(this);if (dataReceived) {
returnHome = true;}
if (returnHome || automationResponse != NULL) {dataReceived = api_get_AirVehicleState__hamr_SW_WaypointPlanManagerService_thr_Impl_Impl(
this, &numBits, payload);if (dataReceived) {
air_vehicle_state_in_event_data_receive_handler(this, payload);}
}}
Standardized entry point for HAMR / AADL periodic threads (skeleton auto-generated)
Use of auto-generated API for input event port
Use of auto-generated API for input event data port
Note: Same C APIs are used for seL4 native, seL4 VM (as an option), and Linux. These mirror the structure of Slang and CakeML APIs.
21Approved for public release. Distribution is unlimited.Adventium / Kansas State
© 2020 Collins Aerospace
• Define rules in Resolute that correspond to modeling guidelines
• Group rules into rulesets corresponding to organizational process, customer requirements, certification guidelines, and tool constraints
• Automatically check compliance with modeling guidelines in OSATE
RESOLINT: L INTER TOOL FOR AADL MODELS
22
Modeling Guidelines
Approved for public release. Distribution is unlimited.
© 2020 Collins Aerospace
END-TO-END INTEGRATED FORMAL VERIFICATION
OSATEAADL model
HAMR plugin Cyber Transform
plugin
AGREE
Resolute
SPLAT
CAmkES input model
TA1 pluginCyber Reqtsplugins
CAmkES
UAV exe
seL4 capDL
C compiler CakeMLcompiler
Component implementation
and glue *.c files
Solvers
System Build
evidence
Component implementation
and glue CakeML files
23
UAV exe
Linux
SystemModelingEnvironment
High-Assurance Code GenerationTools
3. PROOF
Approved for public release. Distribution is unlimited.
© 2020 Collins Aerospace
END-TO-END INTEGRATED FORMAL VERIFICATION
system properties
architecture properties
high-assurance components legacy components
HAMR correspondence proof
CAmkES translation proof
seL4 initializer proof
seL4 proof
assurance case
24Approved for public release. Distribution is unlimited.
© 2020 Collins Aerospace
AADL
BRIDGING THE GAPW I T H P R O O F S
25Approved for public release. Distribution is unlimited.
seL4 integrity policy (access control) is enforced on a running system.
1
seL4 system initializer constructs system whose capabilities and objects conform tocapDL specification
2CAmkEStranslates system description into capDL spec
3 HAMR translates AADL model into CAmkES system description
4
© 2020 Collins Aerospace
HAMR CORRESPONDENCE PROOF CONCEPT
4
AADL Model
ComponentHAMR generates a topological structure using Alloy relations
Port
Connection
4
HAMR Generates Traceability Information
Com
pone
nt
Trac
eabi
lityPo
rt Tr
acea
bilit
y
Application code for
component
Port
Connection
Executable Code and Configuration Information
HAMR generates a topological structure using Alloy relations
Observation point in code associated with port input
Observation point in code associated with port output
Flow-path in code corresponding to realization of communication for connection
FlowPreservation (formal spec in Alloy): For every connection between two components in AADL, there is a flow path in the source code between code artifacts associated with the ports.
NoNewFlows (formal spec in Alloy): For every flow path between two components in the source code, there is a connection in the AADL model between corresponding ports.
Kansas State26Approved for public release. Distribution is unlimited.
© 2020 Collins Aerospace
A F R L U X A S A U T O N O M O U S M I S S I O N P L A N N E R
P H A S E 2 U AV D E M O N S T R AT I O N
• Ground Station sends automation requests to UAV• UAV Mission Computer processes requests and
generates flight plans• UAV Flight Control Computer computes guidance
commands to follow current segment of flight plan
27
• CASE evaluation team developed cyber attacks on baseline platform
• Collins team hardened platform using BriefCASE tools
• Evaluation team attacks ineffective against hardened platform
M A R T I N S U P E R - B A T
P I C C O L OF C C
O D R O I D - X U 4M I S S I O NC O M P U T E R
G R O U N D S T A T I O NApproved for public release. Distribution is unlimited.
© 2020 Collins Aerospace
ATTACKS / MIT IGATION
GND STN
All UAV software runs on formally verified seL4 secure kernelUxAS software isolated in Linux virtual machine (cyber retrofit)Specific attacks from evaluation team mitigated:1. Malformed messages blocked by high-assurance filter2. High-assurance geofence monitor detects plan that violates KeepOutZone
and sends alert to WaypointManager to trigger return to baseResponse monitor detects crashed UxAS planner and alerts operator
3. Remote attestation measures ground station software and detects modified code
Trojans added to UxAS PlanBuilderServiceReplaces AutomationResponse with plan that violates KeepOutZone
2
Malformed ground station messages
1
UAV MISSION COMPUTER
28
Code added to ground station software to generate malicious requests
3
Approved for public release. Distribution is unlimited.
© 2020 Collins Aerospace
H T T P : / / L O O N W E R K S . C O M / P R O J E C T S / C A S E
CASE PHASE 2 DEMO VIDEOS
Approved for public release. Distribution is unlimited.29
This video provides a demonstration of the BriefCASE tool environment, showing how to use the tools to address multiple cyber-resiliency requirements for a UAV mission computing system (22:35).
In part two, we run the hardened UAV mission computing system built in the first video and test it against several cyber attacks to show the effectiveness of the approach (10:13).
© 2020 Collins Aerospace
B A S E L I N E S Y S T E M ( P H Y S I C A L )
CASE PHASE 3 DEMONSTRATION
• Collins Common Avionics Architecture System (CAAS)• Goal : Extend (securely) to add wireless connectivity• Idea : Repurpose one of the mission processing modules (VPM) to act as guard using BriefCASE AADL tools
30
VPM VDTUMC1ADSB TAC-SVS
PSM1
SwitchDigital switch
on PSM1
Other CAAS
WirelessRouter
PilotTablet1
SoldierTablet2
Approved for public release. Distribution is unlimited.
© 2020 Collins Aerospace
H A R D E N E D S Y S T E M
CASE PHASE 3 DEMONSTRATION
31
VDTUMC1VPMADSB TAC-SVS
PSM1
SwitchDigital switch
on PSM1
PilotTablet1
Other CAAS
SoldierTablet2
Wireless Router
• Filter messages to/from tablets• Attestation of tablet(s)• Monitor ADSB traffic for spoofing• seL4 hosting Android
• Attestation
VDTU
• Virtualization for legacy functions
Approved for public release. Distribution is unlimited.
© 2020 Collins Aerospace
• Developer assistance to implement cyber-resiliency• Automated architecture transforms for threat mitigation• High assurance components generated from specifications• Techniques to deal with legacy code (cyber retrofit)
• MBSE environment for high-assurance cyber-resilient system development
• Build system directly from detailed, verified AADL model• Makes the security guarantees of seL4 accessible to system developers• Ability to target different platforms to facilitate incremental
debugging/development
• Integration of formal verification/proof• Formal verification of functional and cyber-resiliency properties, information
flow properties, component proofs• Code generation equivalence to model, seL4 build preserves properties• Integrate evidence as an assurance case demonstrating how/why
requirements are satisfied
CONCLUSION
MBSECModel-Based Systems
Engineering for Cybersecurity
CY-RESArchitectural Transformations
for Cyber-Resiliency
PROOFEnd-to-End Integrated
Formal Verification
32
Open-source tools : GitHub.com/Loonwerks/formal-methods-workbenchDemo video : Loonwerk.com/projects/case.html
Approved for public release. Distribution is unlimited.